On Oct 19, 2012, at 11:07 AM, Robert J. Carr wrote: > I've been using tomcat for many years (so thanks to the devs!) but > this is the first time I've had to use LDAP for authentication. > Reading over the docs on this page were very useful: > > http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#JNDIRealm > > However, at the bottom of the section where it talks about using > 'userRoleName': > > This realm configuration would satisfy the new requirements: > <Realm className="org.apache.catalina.realm.JNDIRealm" > connectionURL="ldap://localhost:389" > userBase="ou=people,dc=mycompany,dc=com" > userSearch="(mail={0})" > userRoleName="memberOf" > roleBase="ou=groups,dc=mycompany,dc=com" > roleName="cn" > roleSearch="(uniqueMember={0})" > /> > > I think the last 3 attributes for role are unnecessary, and if so, > then they're confusing. In my test, which is similar to the LDIF > right above it: > > dn: uid=jjones,ou=people,dc=mycompany,dc=com > objectClass: inetOrgPerson > uid: jjones > sn: jones > cn: janet jones > mail: j.jo...@mycompany.com > memberOf: role2 > memberOf: role3 > userPassword: janet > > I didn't need those last 3 role entries and everything worked fine.
You may not need all of the settings. It really depends on the way your LDAP server is structured. In your particular case you didn't need them. Some people will though. For an example of when you will need them see the LDIF used by the documentation. Dan > Just a note because this section is already confusing enough and I > thought that made it worse. > > Sorry if I'm wrong in my assumptions. > > Thanks- > Robert > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org